Netgate is offering COVID-19 aid for pfSense software users, learn more.

Remote Logging with Syslog

The Remote Logging options under Status > System Logs on the Settings tab allow syslog to copy log entries to a remote server.

The logs kept by pfSense® on the firewall itself are of a finite size and they are cleared on reboot on NanoBSD. Copying these entries to a syslog server can aid troubleshooting and enable long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.


Corporate or local legislative policies may dictate the length of time logs must be retained from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.

To start logging remotely:

  • Navigate to Status > System Logs on the Settings tab

  • Check Send log messages to remote syslog server

  • Configure the options as follows:

Source Address

Controls where the syslog daemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across an IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.

IP Protocol

When choosing an interface for the Source Address, this option gives the syslog daemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.

Remote Log Servers

Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional port number. If the port is not specified, the default syslogd port, 514, is assumed.

A syslog server is typically a server that is directly reachable from the pfSense firewall on a local interface. Logging can also be sent to a server across a VPN.


Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.

Remote Syslog Contents

The options in this section control which log messages will be sent to the remote log server.


When set, all log messages from all areas are sent to the server.

System Events

Main system log messages that do not fall into other categories.

Firewall Events

Firewall log messages in raw format. The format of the raw log is covered on the documentation wiki article on the Filter Log Format

DNS Events

Messages from the DNS Resolver (unbound), DNS Forwarder (dnsmasq), and from the filterdns daemon which periodically resolves hostnames in aliases.

DHCP Events

Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.

PPP Events

Messages from PPP WAN clients (PPPoE, L2TP, PPTP)

Captive Portal Events

Messages from the Captive Portal system, typically authentication messages and errors.

VPN Events

Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.

Gateway Monitor Events

Messages from the gateway monitoring daemon, dpinger

Routing Daemon Events

Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.

Server Load Balancer Events

Messages from relayd which handles server load balancing.

Network Time Protocol Events

Messages from the NTP daemon and client.

Wireless Events

Messages from the Wireless AP daemon, hostapd.

  • Click Save to store the changes.

If a syslog server is not already available, it is fairly easy to set one up. See Syslog Server on Windows with Kiwi Syslog for information on setting up Kiwi Syslog on Windows. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.

Configuring a Syslog Server on FreeBSD

Setting up a syslog server on a FreeBSD server requires only a couple steps. In this example, replace with the IP address of the firewall, replace exco-rtr with the hostname of the firewall, and replace with the full hostname and domain of the firewall. This example uses because the best practice is to send syslog messages using the internal address of a firewall, not a WAN interface.


These changes must all be made on the syslog server, not on the firewall.

First, the firewall will likely need an entry in /etc/hosts containing the address and name of the firewall:            exco-rtr

Then adjust the startup flags for syslogd to accept syslog messages from the firewall. Edit /etc/rc.conf and add this line if it does not exist, or add this option to the existing line for the setting:

syslogd_flags=" -a"

Lastly, add lines to /etc/syslog.conf to catch log entries from this host. Underneath any other existing entries, add the following lines:

*.*                                             /var/log/exco-rtr.log

Those lines will reset the program and host filters, then set a host filter for this firewall using the short name as entered in /etc/hosts.


Look at /etc/syslog.conf on the pfSense firewall for ideas about filtering the logs for various services into separate log files on the syslog server.

After these changes, syslogd must be restarted . On FreeBSD this is one simple command:

# service syslogd restart

Now look at the log file on the syslog server and if the configuration is correct, it will be populating the logs with entries as activity happens on the firewall.